THRD-02

Do you have contractual language in place with third parties governing access to institutional data?

Explanation

This question is asking whether your organization has formal contractual agreements with any third-party vendors or service providers that specifically address how they can access, handle, and protect your institution's data. In the context of security assessments, this question is important because third-party access to institutional data represents a significant security risk. When you share data with external parties, you're extending your security perimeter beyond your direct control. Without proper contractual safeguards, third parties might not handle your data with the same level of care that you would, potentially leading to data breaches, unauthorized access, or compliance violations. The guidance asks you to list each third party that has access to institutional data and explain why that data is shared with them. This helps the assessor understand the scope of third-party data access and evaluate whether each instance of data sharing is necessary and properly governed. To best answer this question: 1. Identify all third parties that have access to your institutional data 2. Confirm whether you have contractual language with each one that specifically addresses data security, privacy, and access controls 3. For each third party, clearly state why they need access to your data (the business purpose) 4. Be specific about the types of data shared when possible 5. If you don't have proper contractual protections in place with some vendors, acknowledge this gap and describe any remediation plans

Guidance

List each third party and why institutional data is shared with them. Format example: [Third Party Name] - Reason

Example Responses

Example Response 1

Yes, we have contractual language in place with all third parties that access institutional data Our contracts include specific clauses regarding data protection, confidentiality, access controls, and security requirements We regularly review these agreements to ensure compliance. [Third Party List] Amazon Web Services (AWS) - Cloud hosting provider for our core applications and databases Salesforce - CRM system that stores customer and prospect information Workday - HR system containing employee data for payroll and benefits administration ServiceNow - IT service management platform that may contain user information during support tickets Mailchimp - Email marketing platform that contains contact information for communications All contracts include data processing addendums that comply with relevant regulations (GDPR, CCPA, etc.) and specify data handling requirements, breach notification procedures, and audit rights.

Example Response 2

Yes, we maintain contractual agreements with third parties that govern access to institutional data Each agreement includes specific provisions for data security, confidentiality, and compliance with applicable regulations. [Third Party Name] - Reason Microsoft Azure - Primary cloud infrastructure provider hosting our applications and databases Zendesk - Customer support platform containing ticket information and limited customer data DocuSign - Electronic signature service processing contractual documents with sensitive information Blackboard - Learning management system containing student educational records and course materials Paychex - Payroll processor with access to employee financial and personal information Twilio - Communication platform for sending SMS notifications containing minimal customer contact data Our legal team reviews all contracts annually to ensure they meet our security requirements and include appropriate data protection clauses, including breach notification requirements and right-to-audit provisions.

Example Response 3

No, we do not currently have comprehensive contractual language in place with all third parties that access institutional data We are in the process of implementing a formal vendor management program that will address this gap. [Third Party Name] - Reason Google Cloud Platform - Primary cloud infrastructure hosting our applications Zoom - Video conferencing platform that may process meeting recordings containing sensitive discussions Dropbox - File sharing platform used by some departments for collaboration While we have standard service agreements with these providers, we recognize that our current contracts lack specific language governing data access, security controls, and compliance requirements We have engaged our legal team to develop standardized data protection addendums and are prioritizing updates to our agreements with vendors that process the most sensitive data We expect to have updated contracts in place with all critical vendors within the next 6 months.

Context

Tab
Organization
Category
Assessment of Third Parties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron